Prevent ACME challenge TXT records from being left behind in CloudDNS

[tkna]

Pull Request Motivation

Relates to #3640

Cloud DNS’s resourceRecordSets.list API returns only a fixed number of records per request (1000 at the time I checked).
https://cloud.google.com/dns/docs/reference/rest/v1/resourceRecordSets/list

func (r *ResourceRecordSetsService) List(), which uses this API, therefore returns only the first 1000 records. As a result, ACME TXT records are not always cleaned up when the total number of resource records exceeds 1000.

This PR fixes the issue by querying only the target record instead of listing all records, avoiding pagination.

Kind

/kind bug

Release Note

Fix an issue where ACME challenge TXT records are not cleaned up when there are many resource records in CloudDNS.

[cert-manager-prow]

Hi @tkna. Thanks for your PR.

I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[hjoshi123]

@tkna thank you for raising this PR. This PR does help alleviate some of the problem since filtering specific results would often not result in a lot of results but looking at the documentation it seems like the filters don't specifically prevent pagination. Correct me if I am wrong on this since I am not super specific about google's SDK.
Maybe the solution here is use both filters and pagination?

[erikgb]

I am pretty sure these changes won't fully resolve #3640, so I have updated the description from "fixes" to "relates to"to avoid the issue being closed prematurely.

[tkna]

@hjoshi123
In Cloud DNS, it seems you cannot create a record set with the same name and type as an existing one. Therefore, I don't think pagination is necessary: if we filter by name and type, the result should be either 0 or 1.

$ cat rrset.json
{
  "name": "example.our-zone.our-domain.",
  "type": "TXT",
  "ttl": 300,
  "rrdatas": [
    "example"
  ],
}
$ curl -s -X POST -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type: application/json" https://dns.googleapis.com/dns/v1/projects/our-project/managedZones/our-zone/rrsets -d @rrset.json
{
  "name": "example.our-zone.our-domain.",
  "type": "TXT",
  "ttl": 300,
  "rrdatas": [
    "\"example\""
  ],
  "signatureRrdatas": [],
  "kind": "dns#resourceRecordSet"
}
$ curl -s -X POST -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type: application/json" https://dns.googleapis.com/dns/v1/projects/our-project/managedZones/our-zone/rrsets -d @rrset.json
{
  "error": {
    "code": 409,
    "message": "The resource 'entity.rrset' named 'example.our-zone.our-domain. (TXT)' already exists",
    "errors": [
      {
        "message": "The resource 'entity.rrset' named 'example.our-zone.our-domain. (TXT)' already exists",
        "domain": "global",
        "reason": "alreadyExists"
      }
    ]
  }
}
$

Related to this, the existing code (example) seems to assume that multiple records may be returned, but I'm not sure why. I can refactor it if needed.

If the concern is that the name/type filters might be applied only to the first 1,000 records, here are my test results from our environment with more than 1,000 records. Our "helloworld" record is not found without any filters, but it is found when using the name/type filter. (From my testing, the order of the returned list appears to be stable across requests)

$ curl -s -X GET -H "Authorization: Bearer $(gcloud auth print-access-token)" "https://dns.googleapis.com/dns/v1/projects/our-project/managedZones/our-zone/rrsets" | jq '.rrsets | length'
1000
$ curl -s -X GET -H "Authorization: Bearer $(gcloud auth print-access-token)" "https://dns.googleapis.com/dns/v1/projects/our-project/managedZones/our-zone/rrsets" | jq '.rrsets[].name' | grep "helloworld"
$ curl -s -X GET -H "Authorization: Bearer $(gcloud auth print-access-token)" "https://dns.googleapis.com/dns/v1/projects/our-project/managedZones/our-zone/rrsets?name=_acme-challenge.helloworld.our-zone.our-domain.&type=TXT"
{
  "rrsets": [
    {
      "name": "_acme-challenge.helloworld.our-zone.our-domain.",
      "type": "TXT",
      "ttl": 60,
      "rrdatas": [
        (snip)
      ],
      "signatureRrdatas": [],
      "kind": "dns#resourceRecordSet"
    }
  ],
  "kind": "dns#resourceRecordSetsListResponse"
}
$

[hjoshi123]

Thank you for clearing that up @tkna.. those details really help.. it also seems we do this in Present in some form

cert-manager/pkg/issuer/acme/dns/clouddns/clouddns.go

Line 160 in 7d89aee

list, err := c.client.ResourceRecordSets.

So this might also be better to have an uniform approach.. As erik said the issue I think also exists with other providers so this PR will not fix those and hence the relates makes sense.

/ok-to-test

[hjoshi123]

This PR seems safe enough to merge given that it doesn't introduce anything new that we already dont do in Present.

/lgtm

[hjoshi123]

/cc @erikgb

[Copilot]

Pull request overview

This PR fixes an issue where ACME challenge TXT records were not being cleaned up in Google Cloud DNS when the total number of resource records in a zone exceeded 1000. The root cause was that the Cloud DNS API's resourceRecordSets.list method returns a maximum of 1000 records per request without pagination, and the code wasn't handling this limitation.

Changes:

• Added Name() and Type() filters to the Cloud DNS API call in findTxtRecords() to query only the specific TXT record by name
• Simplified the loop logic by removing redundant type and name checks, since filtering is now done at the API level
• This ensures ACME challenge records are found and cleaned up regardless of the total number of records in the zone

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[erikgb]

Thanks @tkna! And @hjoshi123 for the review" 🚀

/approve

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: erikgb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [erikgb]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment